A Data Subject Access Request (DSAR) is a request made by an individual to a organisation or agency, asking for access to any personal information collected or stored regarding the individual.
If you receive a DSAR you must generally comply with the request and give the individual access to the information within a reasonable amount of time and you must bear the reasonable costs of doing so.
Individuals usually make DSARs in relation to personal information and under applicable regulation. Both the EU and UK General Data Protection Regulation (GDPR) and Australian Privacy Act 1988 (Cth) (Privacy Act) recognise the rights of individuals to request access to their personal information held by an organisation. The regulations share common requirements regarding the requirement to provide access, transparent handling of data and compliance with privacy principles.
This article considers how, under Australian law, organisations should handle DSARs involving employees:
- DSARS from Employees
- DSARS from Prospective Employees; and
- DSARS where personal information is stored on employee own devices used during the course of their work.
1. DSARs from Employees
The Privacy Act gives individuals a general right to access their own personal information held by organisations operating in Australia. Individuals who deal with an organisation in some capacity may wish to make a request to access and correct their personal information held by the organisation. For instance, a consumer may want to view their sales history or confirm their contact details are up to date. We note that in Australia individuals have no right to erasure of their personal information so DSARs can only be made for access and correction of personal data.
Employee record exemption
Employee records are exempt from the definition of personal information under the Privacy Act, meaning the same rules that govern how organisations must handle personal information do not extend to employee records. This exemption is unique to Australia and means that there is no privacy basis supporting a DSAR from a former or current employee if the information requested is an employee record.
An employee record can include:
- basic employment details
- terms of employment
- time worked
- wages paid
- payslips
- performance reviews
This exception does not extend to prospective employees such as job applicants or to contractors.
However, certain organisations choose to give employee records the same treatment as personal information under the Privacy Act. This will usually be disclosed in their Privacy Policy or in an employment agreement. If an organisation’s Privacy Policy states that it does not rely on the employee record exemption, then it must honour this statement and comply with DSARs from employees.
Public sector employees
The employee record exemption does not apply to public sector employees. Under the Privacy Act, individuals who work in the public sector are entitled to make a DSAR to access their employee records and any personal data stored by their employer.
Accessing Employee Records
There are workplace laws and regulations that govern employee records. The Fair Work Act 2009 (Cth) requires employers to keep accurate employee records for 7 years.
Employees can request their employer to make their employee records available for inspection by the employee and the employer must comply under the Fair Work Regulations 2009. Former employees can rely on the same regulations to access their employee records held by former employers.
Therefore, employees in Australia can rely on the Fair Work Regulations to access their employee records where the Privacy Act exempts employers from having to comply with DSARs due to the employee record exemption. In practice this means that an employer must respond to any DSAR from an employer, but the regulatory basis of the request is Fair Work regulation not privacy regulation.
2) DSARs from Job Applicants
The personal information of job applicants is protected under the Privacy Act, therefore prospective employees can submit a DSAR to the organisation they applied to for a job. The organisation must comply with the request, like any other DSAR that is not exempt under the Privacy Act.
However, if complying with a DSAR would reveal any intentions about the employer in relation to any negotiations with an individual that could influence or prejudice those negotiations, there may be a basis for the employer to refuse access. In this situation it is important to comply with the DSAR, but an organisation may isolate the personal information provided from any documents that would influence or prejudice employment negotiations.
3) DSARs where Employees use their own Devices
The Privacy Act does not specifically address how employers should comply with DSARs where employees use their own devices, such as a personal computer or mobile phone, for work purposes. This is much more common since the COVID work from home revolution.
If employees use their own devices as their work devices, any personal data collected and stored on those devices is likely to be within the scope of a DSAR request. For instance, this might arise if a supervisor reviews a colleague’s performance and stores their notes on a local drive.
Generally, if employees use their own devices in an official working capacity, the employer is still in control of any data stored or processed on those devices. This would be particularly the case if the company had a comprehensive Bring Your Own Device (BYOD) policy that set out these principles. However, if the data is stored on a local drive it is less accessible.
Interestingly, an employers’ ability to easily access data on a personal device is irrelevant to whether data stored on that device is within the scope of a DSAR. If the use of personal devices cannot be avoided in a working environment, employers should clearly establish that if there is a DSAR, the employer may search and access personal information of the organisation to comply with the DSAR.
A risk of this approach is that employees may claim that their employer is interfering with their “right to privacy”, as they may store their own personal information on their device which they do not want their employer to access. Without going into the tortured argument about such a right it is more prudent to anticipate this issue. Organisation should have a comprehensive BYOD policy which specifies the way personal devices can be used for work in an organisation and accessing its data. This could require all organisation data to be collected, accessed and stored only on nominated corporate cloud servers or platforms and not saved locally to a personal device.
Understanding how to comply with a DSAR made by employees, and other data subjects can be complex and you should seek independent legal advice if you are unsure of your response.
This article was originally published on OneTrust DataGuidance which you can access here. Please get in touch with us to understand your DSAR obligations.